Description
openedon Jul 3, 2024
Describe the bug
I’ve created a scoped group for the project in azdevops and can assign-unassign permissions at the project level without any problems.
I want to block repository creation and understand that it’s an object-level security permission.
I run the following command string in CLI:
$subject = proportion of the field descriptor that matches the group name (“vssgp. Uy0x…”)
$orgUrl = “https://dev.azure.com/XXX”
$namespaceId = az devops security permission namespace list -o json --org “$orgUrl” --query “[?@.name == ‘Git Repositories’].namespaceId | [0]”
$bit = az devops security permission namespace show -o json --namespace-id $namespaceId --org “$orgUrl” --query “[0].actions[?@.name == ‘CreateRepository’].bit | [0]”
Finally, I execute the command:
az devops security permission update --id $namespaceId --subject $subject --token ‘$PROJECT:vstfs:///Classification/TeamProject/XXX-ID PROJECT-XX’ --deny-bit $bit --org “$orgUrl” --merge true
I get the project id through the Azure Rest API and it works at the project level, however the object-level permissions
Los GUID usados en el comando cumplen con el formato indicado.
az devops security permission update --id ‘XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’ --subject vssgp. Uy0… jU4 --token ‘$PROJECT:vstfs:///Classification/TeamProject/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’ --deny-bit 16 --org https://dev.azure.com/ORG-CFM-GOB-Gobierno-IT
Como menciono, el comando funciona con permisos a nivel de proyecto y no a nivel de objeto com ‘Git Repositories’ de acuerdo con https://learn.microsoft.com/es-es/azure/devops/organizations/security/permissions?view=azure-devops&tabs=current-page#project-level-permissions
La respuesta de la CLI al ejecutar a nivel de proyecto es
[
{
“acesDictionary”: {
“Microsoft.TeamFoundation.Identity; S-1-9-…-3252845889-… -2985685298-… -1-1409785011-596615241-…-1374749258”: {
“allow”: 2228230,
“deny”: 0,
“descriptor”: “Microsoft.TeamFoundation.Identity; S-1-9…-1374749258”,
“extendedInfo”: {
“effectiveAllow”: 2228230
},
“resolvedPermissions”: [
{
“bit”: 4,
“displayName”: “Delete this node”,
“effectivePermission”: “Allow”,
“name”: “DELETE”
}
]
}
},
“includeExtendedInfo”: true,
“inheritPermissions”: true,
“token”: “$PROJECT:vstfs:///Classification/TeamProject/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX”
}
]
Pero a ejecutar los comandos a nivel de objeto:
TF400898: An Internal Error Occurred. Activity Id: 7232aeb7-1e2b-4310-93a6-d04798563461.
TF400898: An Internal Error Occurred. Activity Id: f6fc89af-c214-428b-b6b1-a46f4cae629e.
TF400898: An Internal Error Occurred. Activity Id: b6163f57-3fed-4bc0-b08a-6c2f0eeb2fb2.
TF400898: An Internal Error Occurred. Activity Id: 9c75f855-e3e4-4b9e-bf79-d58ff19bb95e.
Related command
az devops security permission update --id $namespaceId --subject $subject --token '$PROJECT:vstfs:///Classification/TeamProject/XXXX-XXX....' --deny-bit $bit --org "$orgUrl" --merge true
Errors
El comando Fallo cuando deberia asignar permisos
Issue script & Debug output
TF400898: An Internal Error Occurred. Activity Id: 7232aeb7-1e2b-4310-93a6-d04798563461.
TF400898: An Internal Error Occurred. Activity Id: f6fc89af-c214-428b-b6b1-a46f4cae629e.
TF400898: An Internal Error Occurred. Activity Id: b6163f57-3fed-4bc0-b08a-6c2f0eeb2fb2.
TF400898: An Internal Error Occurred. Activity Id: 9c75f855-e3e4-4b9e-bf79-d58ff19bb95e.
Expected behavior
asignar o desasignar un permiso
Environment Summary
azure-cli 2.61.0
core 2.61.0
telemetry 1.1.0
Extensions:
azure-devops 1.0.1
Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1
Additional context
No response